UPDATE:  @MYRCURIAL from the great site Liquidmatrix says that I need to post the following warning:

YOU MAY NOT WANT TO PROCESS THIS PRIOR TO YOUR 11TH CUP OF COFFEE

==================================

Carrying on from yesterday’s post a bit, I’m happy to admit that Chris’ poem is right: we don’t have nearly the information we need now when we’re supposed to have “control” over our assets, putting things in a hosted/asp/cloud/buzzword model ain’t going to help our quest for visibility. My intention was/is to show that you need visibility (in part one) and then today explain that unfortunately, that’s only half the picture.

Today’s follow-on is about the fact that whatever visibility we can contractually enforce (be it in the “cloud” or in our own perimeter) has to be informative (Amrit, this is why I was plugging you with those variance questions on Twitter yesterday).  That is, we can ask whatever IT department (ours, theirs, whomever) for all sorts of information, and maybe they’ll even give it to us.  But we’re not really ready to:

• Know what to ask for
• Use it to create wisdom

A really salient example of this from outside IT hit my browser this morning.  Now it’s not at all my intention to be political or endorse one candidate over another.  Those who know me know I’m fiercely independent.  But this morning there’s a headline on a well-read news website about how one candidate is now “+2″ over another in a Gallup poll of “likely voters”. The source is here.

That is a screen grab from Gallup’s website that shows the “+2″.   I have to ask - how informative is this information?  Part of the problem is that Gallup’s methods are hidden as some sort of “secret sauce” (their FAQ section doesn’t help much, either).  But regardless of the quality of the measurement, this “+2″ has no context - we don’t really know what this information means with regards to an actual election.  Nor is there any predictive element (I hate the using the word predictive, but it’s common nomenclature - so there you go).  We don’t have what we need from this Gallup poll to create wisdom about the ability of either candidate to be elected.

Allow me show you what I mean by way of contrast.  Take a look at Nate Silver’s work at http://www.fivethirtyeight.com/.  Now I’ve been long familiar with Nate due to his work in baseball.  He’s been at these sorts of ‘predictive’ analytics around our shared passion: creating wisdom from baseball statistics.

What Nate is doing at 538 is applying that acumen from his baseball work to the political process.  He’s breaking down the vote not just on popularity among likely voters, but in the context of the electoral college, accounting for variance and uncertainty, running Monte Carlo simulations and taking into account all sorts of polling information.  The result is really quite amazing. Here’s just one graph he presents - it’s the most similar to the Gallup one above, but you should really visit the site to understand the difference in quality of information and to check out the predictive elements he creates.

NOT ALL INFORMATION IS CREATED EQUAL, AND NOT ALL  JUDGMENTS ARE CREATED EQUALLY

And take a look at the contrast, here:

On one hand you have Gallup giving us a “+2″ advantage to a particular candidate.  Now Gallup themselves draws no conclusion but, as digested, how many readers do you think take this as evidence that the election is *really* close?

On the other hand, 538’s predictions show a 348/189 electoral college split, and one candidate winning 96% of the time in simulated elections.  That doesn’t seem close at all!

RISK MANAGEMENT

It is these predictive elements that we need in order to make better strategy and decisions.  I’ve been talking in the past about risk management’s inability to link current state to systemic causes, and this “context” is what predictive analytics provide.  We might have all sorts of visibility into our environment, and measurement of various amounts of variability that visibility gives us. But unless we have context to create wisdom, it’s all just, as Chris says, “machinations”.  We have to move beyond “+2″.

So Cloud/Grid/Utility/ASP/TimeShare/Whatever you want to call it - security will have to clean up our own mess first before we can do a good job with or without a perimeter.  Once we can start moving beyond “+2″ statements, then we can know what sort of visibility we require into an ability to Prevent, Detect, and Respond.

HANSEI - WHAT IS “RELENTLESS REFLECTION?” - And why we’re talking about it in the context of Risk Analysis.

Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk management.  It’s a concept born of Toyota and is, in some way, the foundation for “Lean” production.

Call me biased, but I think that Hansei - the act of ‘relentless reflection’ made structured is the analytical function.  And I hate to debate (post-mortem) the father of Toyota quality success when he says that Hansei is the “check” in Plan/Do/Check/Act, but I think that Hansei also applies to the “Plan” of the P/D/C/A or Deming cycle.

You’ll recall the P/D/C/A cycle can be thought of even as an implementation of Scientific Method, in that it is Observation & Hypothesis Creation (P), Experiment (D), Analysis (Check), and Act (Revise/New Hypothesis, etc…).  Well then as such, the Hypothesis creation involves creating a model or creating an expected outcome for data using the currently accepted model.

So in our industry there is an opportunity for Relentless Reflection in both the Observation and Hypothesis (Plan) creation steps, and the Check step.  We create an estimate for control strength, or probable losses in the context of risk- then we go to Experiment step.  That hypothesis can be put it into production, have an audit, have a penetration test, whatever, in the context of the Do step.  BTW - using Hansei/Analytics in Plan is one way that strong analytical functions can really make penetration testing more useful - as a means to test the estimates and inputs into a model.  It’s Penetration Testing 2.0!  (<- tongue fully in cheek, yes)

Those who are versed in the reasons to merge Six Sigma and Lean together are probably already seeing where I’m going with this today.  But before you think that a simple DMAIC function is all that is needed to create proper “Hansei”, let me encourage you to keep reading.

Now if the analytical function can said to be “reflection”, why must it be relentless?

One word.  Change. There are essentially four separate “landscapes” or sources of change that we face (more on those tomorrow).  But anyone who has tried to manage system compliance, log management or policy exceptions knows that change is possibly the most difficult thing we security professionals must manage.  And when you think about it, there aren’t too many other business functions like information security where significant visibility and insight about the environment is needed for “complete” information (get bullish on Log Management is my recommendation).

HANSEI STEPS ADAPTED TO INFORMATION SECURITY

This is one of those quality control concepts that we can mangle adopt.  At Toyota, Hansei-Kaizen includes the following basic steps:

1. Initial problem perception
2. Clarify the problem
3. Locate area/point of cause
4. Investigate root cause (using an ask why 5 times approach)
5. Countermeasure
6. Evaluate
7. Standardize

Now it’s important to note that part of this includes the concept of Go See For Yourself, called “Gemba“.  Gemba can be translated as “the actual place” or “the place where virtue or truth is found.” At Toyota this might mean going to the shop floor to see the issue at hand in the production line.  But for us, that’s a problem because we live in the virtual world.  There’s usually not much use in hanging out in the wiring closets to try to see the problems.

But if you combine the concept of Gemba with the concept of “Nemawashi” –the process of discussing problems and potential solutions with all those affected- we can forge a similar concept using risk analysis.  That is discussing the issue and the risk associated with an issue (what some people would call “risk management”) with the business/LOB/data owner and let them accept authority and the risk decision.  We, the risk analyst, our goal is simply to perform items 1-5 (presenting countermeasure options that include transferring or accepting risk).  By going to the line of business and involving them, responsibility is shared.  Also, if you structure organizational behavior right, personal risk is transferred!

This sort of approach is also in harmony with concepts like “mutual ownership of problems,” or “genchi genbutsu,” (solving problems at the source instead of behind desks), and the “kaizen mind,” (an unending sense of crisis behind the company’s constant drive to improve).

One of the criticisms I have with the way most people try to implement DMAIC into “Lean”

REQUIREMENTS

Now to get this done, I really see three significant requirements.

1.)  A change in political structure.

2.)  Models that provide consistent, defensible analysis.

3.)  A Quantitative approach.  This means using actual units of measurement (not just amorphous percents, ordinal scales, etc.)  for risk and it’s subsequent factors.  Sure there are times when Q&D qualitative approaches are acceptable, but policy should be to have quantitative analysis whenever and wherever possible.

That last item - the quantitative approach - is really quite important.  And the reasons why will be discussed further in tomorrow’s post:

“What should we be reflecting about? & What is needed for reflection?”

P.S.  Your comments and suggestions, as always, are welcome.

P.P.S  Those who may be familiar with Lean/SixSigma/Kaizen sorts of mashups may be thinking - “hey, an Analytical step is built into SixSigma”.  Well, yes there is some prevision for analytical functions based on statistics, but I find SixSigma geared towards creating a State of Knowledge about operational processes, not towards creating a State of Wisdom for CISO’s around security & risks “big questions”.  In otherwords, the analytical function in DMAIC is in the context of Kaizen, and a different step than “reflective” analytics.

I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control.  It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model.  NAC is just another layer in that model.  Richard’s comments deriding the .edu and .mil markets were also laughable.  Richard, have you ever heard the term military grade?  Are you seriously trying to say that enterprises take security more seriously than the military does?  Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard.  He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change.  Except, I don’t think Richard will be in anymore of these bouts.  Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

IT- GRC is just threat / vulnerability pairing when you consider external regulatory compliance pressures as the Threat Community.  If you think of it this way, you might be able to understand why I’m not keen on the value of GRC many current solutions.   As Shrdlu (or was it rybolov?) once said - GRC is (usually*) just a report. Turns out, it’s just a threat/vulnerability pairing report.

* “usually” is my addition.

Sorry for the lack of content yesterday. Due to a PBCAK failure to pay attention I neglected to publish write yesterday’s article. So, they’ll trickle out over the next couple days I’ll try to do better while Dave takes some time off to work on a personal project. Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. The Science behind 3-1-1 Mental Note - When flying this weekend, do not play the part of a vain astronaut.
2. DeCSS is now illegal in Finland Quick - jam the inflatable boat back into the travel pouch — Hurry!
3. Microsoft Whitepaper: Comparing Features - Windows XP SP3 and Vista SP1 smell the slow burn of a sweaty Ballmer
4. CFP (Computers Freedom and Privacy) Conference Roundup from Wired’s 27B/6 MmmmMmmmm… Cyberdyne me baby
5. RIM will not give Blackberry Keys to India Ahhh yes, but to which national governments (besides the Mennonites) have the boyz in Waterloo given the keys?
6. Elevator disables UAC on a per-application basis Do you want to Allow or Cancel?
7. Nottingham University Student Detained DWB (Downloading While Brown) from the US Gov’t - Go Directly to Secret Detention
8. President Bush Signs Landmark Genetic Nondiscrimination Information Act Into Law Gattaca… Gattaca… Gattaca…

More as I process it all (seriously, where the hell does Dave find the time for this every.single.day?)

Tags: News, Daily Links, Security Blog, Information Security, Security News

Sorry for the lack of content yesterday. Due to a PBCAK I neglected to publish yesterday’s articles. So, they’ll trickle out over the next couple days. Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. Power Company Slammed For Weak Cyber Security (more on TVA)
2. Congress Alarmed At Cyber-Vulnerability Of Power Grid (TVA again)
3. Customer Info From More Banks May Be On Lost Tape
4. Police: Student Hacker Stole Personal Info Of 55,000
5. Notes from AusCERT 2008
6. Expert dissects Estonian cyber-war
7. ISO 27001 Firewall Compliance Solution Debuts
8. Guidance Software to Offer HBGary Responder™ for Live Memory Analysis in Digital Investigations
9. Microsoft gives students a peek at the future

Tags: News, Daily Links, Security Blog, Information Security, Security News

Quite clearly, web browsing from within these ISPs now depends on the correct functioning of the “Layer 7 switch” and Phorm’s “Anonymiser” machine. This should not be too much of a concern. Network engineers are used to designing out “single points of failure“. Thus, for example, the BT schematics obtained by The Register show parallel systems and cross-coupling of components, so that a single failure will not take out the system. Add in the fact that what are apparently single machines will almost certainly be clusters fronted by intelligent load-balancing devices, and the system is expensive, but extremely resilient.

However, there’s another rather less obvious issue that needs to be addressed.

The bouncing of all web requests back and forth with HTTP 307 redirections means that the system is critically dependent upon the correct resolving of the webwise.net domain. If, for whatever reason, the domain name system (DNS) didn’t return the correct answer when asked for the IP address of webwise.net, then everyone at that ISP would find that their browsing was seriously affected.

If the incorrect address came back as 127.0.0.1 then the customers wouldn’t be able to reach any websites at all — if it came back as the IP address of a machine in downtown St Petersburg, then that site could redirect their web sessions at will — and there’s likely some criminals in that city with some innovative ideas of what could happen next.

So the webwise.net domain has suddenly been promoted to become part of the Critical National Infrastructure (CNI).

The domain is currently hosted at GoDaddy, an american registrar. Last summer the rock-phish gang spent a week running phishing attacks not just against banks, as they usually do, but also against GoDaddy. The immediate reaction was that the criminals wanted to use captured credentials to purchase domain names for free — but wiser heads pointed out that with the login details for a GoDaddy account you were in full control of any domain names that had already been bought : the security of the websites of thousands of major companies (and a great many banks) was resting on the security of eight-character registrar login passwords.

However, firms that have considered the risk don’t buy $10 domain names, but spend rather more, and their registrar will insist on rigorous security checks before altering any details. We must obviously assume that webwise.net is not at risk from registrar phishing in this simplistic way.

The more likely way of subverting what webwise.net resolves to is called “DNS cache poisoning”. There are several ways of doing this (this Wikipedia article provides a helpful summary), most of which shouldn’t work if the ISP has configured their DNS server correctly.

However fundamental weaknesses in the DNS protocol (relying on 16bit values matching to show authenticity) means that DNS forgery attacks can only be made harder, not prevented altogether. Making it harder may currently be sufficient to make phishing attackers use simpler methods — but if the prize is the disruption of web browsing for millions of people…?

There are things that the ISPs can do to improve security — such as each of them making themselves authoritative for webwise.net, which should address the DNS forgery issue. Let’s hope that they haven’t overlooked this.

[[with acknowledgments to Matt Johnson and others involved in understanding this particular design risk]]

The existing samples of code that we have are always plagued by three things though, which makes them difficult to work with and which I don’t care about. Each contain obfuscation for filter evasion, which we’ve already researched to death, payloads, which we have also researched heavily and lastly site specific code, which really is uninteresting to me, unless I were trying to help out that company in particular solve an existing problem. So the goal is to remove those things and focus on the actual XSS propagation, for which there has been little research done to date.

I’ve always said, you don’t understand a problem until you see it and play with it. This is why having experience is always more valuable than schooling in a topic. It’s like trying to get in a fist fight with a professional boxer having never sparred before and expecting to win. If working to help the understanding of worm propagation makes me evil, so be it. I’d rather be evil and be able to help solve problems than be good and be useless at solving the problem (as are most of the nay-sayers, I’ve found). That’s why people like Giorgio Maone (the author of the noscript plugin) chipped in to help the contest. People like him are solving the problem in their own ways as well. It’s in everyone’s best interest to understand all the vectors. Will this empower bad guys? I’d be nieve to say there’s no chance of that. However, the goal here is to understand why the propagation methods were chosen so we can build defenses against them. We actually had tons of interesting findings that will help us narrow down the most dangerous strains, and start making suggestions to browser companies and security companies that are in development of security technologies so that they can build tools to prevent this.

For people who liken me to an anti-virus company writing viruses, I’d like to point out the fact of the matter which is that I don’t get paid to consult with browser companies on browser security (at least I haven’t in the last several years that I’ve been doing this). In the spirit of full disclosure, I have gotten paid to help out with other things, but not browser security. That’s right, I give advice in the browser security arena for free (for which I have actually been chastised by other executives who feel like I’m wasting my time since I’m not making any money on it). I do it because I’m actually interested in solving the problem. To date I also have never been paid by any company who has ever been hit by an XSS worm. I have, however, on several occasions given them intel and advice, pro-bono. Also, unlike an anti-virus company, I don’t have a security product in development. So, yes, tin foil hat wearers can rest easy - this actually is academic. I know, crazy talk! That’s why this is an web app security lab. People visit this site (or should, at least) with the knowledge that we are pushing the boundaries of what’s know about web application security. We aren’t talking about yesterday’s problems. Think the bad guys are going to stop their own research if we stop talking about it? In this profit driven malicious ecosystem, there’s no chance of that anymore. At least in an open format we can come up with solutions, and see the results of each other’s work.

Another interesting point of view, by Kurt Wismer was that I was that by creating diminutive code I will always get an output of obfuscated code (which I have said a number of times I was trying to avoid) because of the coding tricks necessary to make it that small. He’s absolutely right, of course, but that’s a red herring. See, there are two types of obfuscation, which may be beyond the grasp of people who don’t actually work in this field. The first type is obfuscation to create short/lean code. The second is obfuscation for filter evasion (MD5ing something, hex encoding something, making something polymorphic, not using the word “eval” but “ev”+”al” to beat some regex or string matching, etc…). I’m sorry I didn’t clarify - that’s probably non obvious for people who don’t understand webappsec. So unfortunately, for the most part that’s actually not an interesting comment, although there are some tidbits in some of the variants of code that actually do cause some problems that I will need to disregard for the sake of research, which I’ll talk about after the contest is over.

Anyway, over the last few days I’ve been called a moron, an idiot and probably a half dozen other things. But through it all, I’m 100% confident that this will lead to previously non-published/understood results about worm propagation (I’m confident, because it’s already yielded some various interesting problems that we have had to clarify using rules that I didn’t even think would come up). And I’m also confident that this will lead to ways in which we can protect ourselves from them - not today, certainly, but over time as we as a community start building tools to prevent these issues based, in part, on the results of this contest. I wouldn’t guess that everyone reading this will “get it” as most people don’t really understand how the security world works. I would, however, hope that everyone sits tight and holds their dramatic postings for the results, or at least asks me what I think instead of jumping to wild conclusions. Christmas is already over though, and I already got my wishes granted so I won’t be surprised if it doesn’t happen.

So that’s the drama! Gotta love it, huh? Where would I be without the under-educated rants and conspiracy theories? The good news is that there is a lot of really interesting research coming out of the contest, and numbers are approaching the 150-170 byte range. We’re already seeing some trends emerge about the most size efficient ways to write the code, and the ways in which the code must work for best propagation results and portability. The two methods of actual spread that appear to be building to a consensus among the submissions are XMLHttpRequest and submit events. We’ll see how things turn out, but I’m quickly getting a feeling these are by far the two most likely candidates for worm propagation. My question is what sort of valid reasons can people come up with on why the browser should automatically submit a form without user interaction? More detailed analysis to come once we get closer to the cutoff. Amazing stuff!

Pandora is already out of the box, folks, and for good or bad Samy was the culprit, not me. Time to start working on solutions, rather than trying to keep the research quiet.